How can I add a .pem private key fingerprint entry to known_hosts before connecting with ssh?

I have host A in AWS as an EC2 instance.

I a private key embedded in a .PEM file that I can use to host A with SSH key Z. This works if I pass it to the ssh command using the -l argument, AND if I turn off strict host checking with -o StrictHostKeyChecking=no.

I would strongly prefer to leave strict host checking on even though I “know” this is the correct host because I’m interacting with the AWS interface, getting the ip/dns from them, and I’m inside of my own little VPC world.

It seems like the only way to provide the fingerprint -> host mapping is by providing it in a known_hosts file.

Is that correct?

If that is correct, how can I take the private key embedded in the .PEM file that I have from AWS and build the correct entry for the single fingerprint -> host mapping for a temporary known_hosts file that I can read when I’m logging into the EC2 instance?

WHAT I DO NOT WANT TO DO

  • Use ssh-keyscan. All this does is blindly accept the fingerprint of the remote client without validating that it matches with the key. I think?
  • Turn off StrictHostKeyChecking. I want to establish good practices early, and I need to know how to do this now, because I’m going to need to know how to do this in general. (By this I mean how to use SSH fingerprints to validate the identity of the host I’m connecting to, based on the key that I have.)
  • Mess around with ssh-add. I want to write this to a file that’s easy to lockdown access to, not put it into a running process.

Convert ASN.1 key to openssl .pem to decrypt a message encoded in hex?

I have an ASN.1 type key:

308204a40201000282010100b3b77eb538f617a8441cdcf1fb133c1e73156894f1e049402d5c3ca7c74b69c6a8e81913dcfaeaee3e46bee05934ed21c23adc989729c189bf791da75b596ef41a325938205399ec0ca3aceea90238f3589b5b8427f8bae78b801e65d00a4fdd4905bfc650a79d596034b3dc20fd894202a9f718799d742e7df5defde553e3ab8e952e0f3047f73fe1e1c8ca8a66536cf2f0746a0f607de6dba0a8e3570ef83c03420a919a950a5a007597bf2f5cac8d096f3cacb0ca228a73500dd2bd08451effb7ab00c07d92f22607a740a394506a085ab0fb5627a20e6fbf122a9ab369ee2fb61c983620d848a72b16047f265468369ac449e9b4f07361af8e1019df7d570203010001028201010099ee83a329a4efe27a64d6829571863ef687d1ca31dad0231e3730e4ec7915a2c92df3bce5bc2dd9de91ae106f983bbc7ca6fa27e0e22d19955d621ee4c997959192aa84be7b9d0d684e11636273bae004771d4df706bee070c64e431a8c9a978962593ebdfab375c8479bfee26b0753f90027db58df9a91efe5d7185583232f6edaba4d2c6c797ff177eed7e6ee6424adc3af8352e61134265522f0a1334761845231e6708b630caf0ca24a77f597b3ec2e038172017f66b1e76c1cd99d2b5a6a29faab9ba42a89ec44b1ff20ee606f9e7f9556bd9a74e5c1b83d87317f2008ca7790b4f0218292f484ca40a3c3d64c541634bbcc903f1c2cac5971a6f957f102818100bf54486569e2ff77a4fad4e97efd0048978b1d2d5e7b4221c3def2ad6ca0427af42bbf592cf2439048d90eff248810ebf6faf67851c4b1c7dd646f5372e6e9eb46360f737cedba2cc0b5a288ceefcf408e576e8352c990c2470a363085328b4a76732c39251a16ba7d37e0ac14bcec879081214bbdb543acecb31a7d3e670f8502818100f07662fee84a2e05e6997a28dfacbbc160417640cb285d223626b656e0e6c22309d5adef3888b38ad172017d467453ee53e831e2a877f7836aa1a5c19e7443142d5c1dcafc092a2f5c3951458ee0c9cfa153f8eefe22b94e51608e98bd5b3609a3c9f870f09e08c7830df749d96bf0eded633fb1318da083bf2a440fec48fa2b0281804764e4eaeadb28a6f5aa1f9ecda30ce309a1808eb86dd81c8f61773edd84e3a9cbc9334acc69ce6a5db49952fdc7c440b8d5a6f8f8d223e0c7ad3d996f0bd987d09845a5bb9d5dd66b469bd2df1d3f42009b81828176f38c7b43c53acfc92f8ee6aa4d7b396c05c52b0a99ccbca44ec2bb5a6419463e0875d39175b5fc7e2a9d02818042946500b38ca68597bdf32712179fbd014bded43dec252d6dd4f633c3fde0cf16d00562f14258841d4df5bf9c1c6588ddceb2d15158363e3aee1b192b2881d23a650112cd0a3495fc711a61aa17ef88ffe06252ba271f2be2385c034a9ad0b1869a4ba1e9ddb80c95eaee07929de28dde66d6a1d758a193190138eb37bf5515028181008d99f0f0beffa8fad237540ed70199de7c6d9324505174115e41031957ec2999017e8b1c7d5f9889a62fe78e1d532dc5ef41fa694e49aca5d52987d8f70f96413506e4714e11006dbcec3c318d6211de7f8548b4b37abedd2b2f96b367b0ebcfd0166c6582a660ce9f79b74ef83bb0bbc87604fdefc3b2bfcb1215b2f9ca1d35 

And an hex encoded? I think, message:

4c0605e901b09d75c5f5befe7438d7246f988531cc7a39a59f24b9488d47dfae9fc8beb5117f34a316f9380607bf239ba6eca84da47a12d720986a8a0100a7e9d7028d7e423557055b9e250f271d6436018c58e79a8f26bac10768776f06dc1786dd7428b3c445b8993e884630b36cb2d300fa5dc1fe0eba9e433062d9d8a58f33bf6f93aa37298a5703ccbf71c93adea447f018e9f75bb43dbc528cfc9bed865a9ba43f926071dabc89ccca2e000f1a966855cc9816e45c0113edb55a700198d346a90487b5ff1191994973eb1b5252b22c6410aa70ea4e9c3ebd468ef273d7cf9d15b5824244cd25f252886d1edfe2d6f2caa5d5e00fd84597e3de192db41b 

I want to decrypt the message using the key, how is that possible?